7.6 Microsoft Remote Desktop Protocol

Remote Desktop Protocol
(RDP, also known as
Microsoft Terminal Services) provides
thin client access to the Windows desktop. The Windows 2000, XP, and
2003 Server platforms usually run these services. The RDP service
runs by default on TCP port 3389, accessed using the remote desktop
client as shown in Figure 7-2.

Figure 7-2. Connecting to RDP using the remote desktop client

The Microsoft RDP client is available at http://download.microsoft.com/download/whistler/tools/1.0/wxp/en-us/msrdpcli.exe.

7.6.1 RDP Brute-Force Password Grinding

After locating accessible RDP servers (by port
scanning for TCP 3389) and performing enumeration through anonymous
NetBIOS sessions (see Chapter 9) to identify
potentially weak user accounts, an attacker can launch brute-force
password-grinding attacks. The Administrator
account is usually a good place to start because it
can't be locked locally upon multiple failed logon
attempts.

Tim Mullen
(http://www.hammerofgod.com) put
together a useful tool called tsgrinder for
brute-forcing terminal services. tsgrinder
(Version 2.03 at the time of writing) is available at http://www.hammerofgod.com/download.htm.

The tsgrinder tool takes advantage of two features
within the terminal services security model. The first is that failed
authentication attempts are only logged only if a user provides six
incorrect username and password combinations within a given session.
tsgrinder launches multiple parallel sessions
and provides five sets of user credentials before disconnecting, and
is thus not logged by the default terminal services configuration.
The second feature is that the tool uses RDP encrypted channel
options when attempting to log on, so that an IDS
won't pick up on the attack.

7.6.2 RDP Vulnerabilities

A number of denial-of-service and memory-leak issues have been
found
in Microsoft Terminal Services over the last three years. At the time
of writing, MITRE CVE lists two serious remotely exploitable issues
within terminal services, as detailed in Table 7-6.

Table 7-6. Remotely exploitable Microsoft Terminal Services bugs

RDP Version 5.0 in Microsoft Windows 2000 and 5.1 in Windows XP
don't encrypt the checksums of plaintext session
data, which can allow a remote attacker to determine the contents of
encrypted sessions via sniffing.